1. Field of the Invention
The present invention relates generally to information processing and, more particularly, to systems and methods for security policies for regulating access and maintaining security of computer systems connected to networks using a community-based approach to influence the setting of security policies.
2. Description of the Background Art
The first computers were largely stand-alone units with no direct connection to other computers or computer networks. Data exchanges between computers were mainly accomplished by exchanging magnetic or optical media such as floppy disks. Over time, more and more computers were connected to each other using Local Area Networks or “LANs”. In both cases, maintaining security and controlling what information a computer user could access was relatively simple because the overall computing environment was limited and clearly defined.
In traditional computing networks, a desktop computer largely remained in a fixed location and was physically connected to a single local network (e.g., via Ethernet). More recently, however, an increasingly large number of business and individual users are using portable computing devices, such as laptop computers, that are moved frequently and that connect into more than one network. For example, many users now have laptop computers that can be connected to networks at home, at work, and in numerous other locations. Many users also have home computers that are remotely connected to various organizations from time to time through the Internet. The number of computing devices, and the number of networks that these devices connect to, has increased dramatically in recent years.
In addition, various different types of connections may be utilized to connect to these different networks. A dial-up modem may be used for remote access to an office network. Various types of wireless connectivity, including IEEE (Institute of Electrical and Electronics Engineers) 802.11 and Bluetooth, are also increasingly popular. Wireless networks often have a large number of different users. Moreover, connection to these networks is often very easy, as connection does not require a physical link. Wireless and other types of networks are frequently provided in cafes, airports, convention centers, and other public locations to enable mobile computer users to connect to the Internet. Increasingly, users are also using the Internet to remotely connect to a number of different systems and networks. Thus, it is becoming more common for users to connect to a number of different networks from time to time through a number of different means.
One of the implications of this increasing number of devices occasionally connected to different networks is that traditional corporate firewall technologies are no longer effective. Traditional firewall products guard a boundary (or gateway) between a local network, such as a corporate network, and a larger network, such as the Internet. These products primarily regulate traffic between physical networks by establishing and enforcing rules that regulate access based upon the protocol and type of acccess request, the source requesting access, the connection port to be accessed, and other factors. For example, a firewall may permit access to a particular computer using TCP/IP on TCP port 80, but deny remote access to other computers on the network. A firewall may also permit access from a specific IP address or range (or zone) of IP addresses, but deny access from other addresses. Different security rules may be defined for different zones of addresses. However, traditional firewall technology guarding a network boundary does not protect against traffic that does not traverse that boundary. It does not regulate traffic between two devices within the network or two devices outside the network. A corporate firewall provides some degree of protection when a device is connected to that particular corporate network, but it provides no protection when the device is connected to other networks.
One security measure that has been utilized by many users is to install a personal firewall (or end point security) product on a computer system to control traffic into and out of the system. An end point security product can regulate all traffic into and out of a particular computing device. For example, an end point security product may expressly seek authorization from a user or administrator (or from a policy established by a user or administrator) for each network connection to or from a computing device, including connections initiated from the device and those initiated from external sources. This enables a user or administrator to monitor what applications on a device are accessing other machines or networks (e.g., the Internet). It also enforces security by obtaining authorization for each Internet or network connection opened to (or from) the device, including connections initiated both internally and externally. In the home environment, for instance, an end point security product enables a home user to monitor the applications he or she is using and enforces security by requiring his or her authorization for each connection. Typically, for connections initiated from the device, a user may configure application permission rules that permit certain applications to connect to one or more networks or devices, such as a local area network (LAN) or a wide area network (WAN), such as the Internet. These application permission rules may, for instance, permit a particular application, such as a Web browser program, to open connections to the Internet. A rule may also be configured to permit an application to access another computer on the same LAN, but prohibit this application from opening an Internet connection.
End point security products are becoming increasingly popular as a means of securing an individual computing device or as part of a security solution for a corporate network or similar group of computers serving a particular organization. Despite the increasing popularity of end point security products, some issues remain. One issue for users of end point security products is that users (or administrators in the case of managed systems) are asked to make decisions about access privileges for a number of different applications. Frequently, these users do not have the experience or information necessary to make informed decisions about access privileges for all of these different applications. As a result, in an effort to maintain security many users are either overly conservative or overly permissive in establishing access privileges and other security settings.
If a user is overly conservative, he or she may block legitimate applications from accessing other devices or resources, or may establish settings which provide for frequent prompts as to whether or not access by a particular application should be permitted. An overly conservative configuration which results in repeated prompts (i.e., alerts) to a user can be frustrating as it may delay his or her performance of various tasks. This type of overly conservative configuration may also be problematic as the user may become accustomed to allowing access (e.g., by selecting “allow” instead of “block”) in response to these frequent connection alerts. This can result in security breaches as the user's response may become reflexive. He or she may allow access in response to every alert rather than to carefully examine the specifics of the request for access.
On the other hand, a user may also be overly permissive in making decisions regarding access rights and other security settings. A user may fail to recognize harmful applications that represent serious security threats, or the user may not configure his or her end point security product to provide sufficient protection against inappropriate requests for access. For example, a user may not recognize “Trojan horse” or “spy ware” applications as such malicious applications often are disguised to hide their true nature behind plausible names and publisher information. In either case, the user may fail to take the proper steps necessary to be adequately protected from harmful code or other malicious activities because he or she may lack the necessary information or experience to evaluate what types of access should be permitted.
Existing solutions, to the extent they have focused on these problems, have primarily been focused on the network layer and, more particularly, on well-known attacks on the networking layer. These prior solutions have not attempted to provide a solution that regulates or provides guidance about whether a particular application should (or should not) be able to open connections or obtain access to other resources. Increasingly, however, malicious attacks are not using proprietary protocols to communicate, but rather are using commonly used protocols like HTTP (HyperText Transfer Protocol). As a result, it is increasingly difficult to distinguish good and bad traffic at the network layer without knowing the specific application (or program) that is initiating the communication. This presents particular problems to home and small business users with limited technical skills and resources. Mobile users that frequently connect to a number of different networks and applications are also forced to make decisions about access rights more frequently. Moreover, many programs (applications) now installed by these users include automatic update features in which the program initiates a connection to a remote machine to check for program updates. This further increases the burden placed on users, particularly users having unmanaged environments and without significant technical expertise, in appropriately determining program access rights.
One possible solution to this problem is to provide a description of all known legitimate and illegitimate applications that a user could consult in determining whether or not to permit a certain level of access by a particular application. However, the universe of legitimate applications is too large and changes too frequently to create and maintain a comprehensive database of all legitimate applications. Describing and documenting all illegitimate applications is an even more daunting task.
What is required is a solution that will provide users with guidance about proper use and configuration of a program to facilitate better use of such program. For example, providing advice to a user of an end point security program about which applications should be provided with access rights enables the user to make better decisions about use and configuration of such security program. Ideally, the solution should provide an easy to use mechanism for users to provide feedback and obtain consensus recommendations from other users. For example, a solution providing advice to users of an end point security product should ideally enable many requests for access to be automatically resolved without requiring the user to be asked specifically about each and every request for access. The present invention fulfills these and other needs.